[go: up one dir, main page]

CN112822675B - MEC environment-oriented OAuth 2.0-based single sign-on mechanism - Google Patents

MEC environment-oriented OAuth 2.0-based single sign-on mechanism Download PDF

Info

Publication number
CN112822675B
CN112822675B CN202110030236.XA CN202110030236A CN112822675B CN 112822675 B CN112822675 B CN 112822675B CN 202110030236 A CN202110030236 A CN 202110030236A CN 112822675 B CN112822675 B CN 112822675B
Authority
CN
China
Prior art keywords
mec
user
mepm
oss
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN202110030236.XA
Other languages
Chinese (zh)
Other versions
CN112822675A (en
Inventor
常晓林
纪健全
姚英英
王建华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
Original Assignee
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University filed Critical Beijing Jiaotong University
Priority to CN202110030236.XA priority Critical patent/CN112822675B/en
Publication of CN112822675A publication Critical patent/CN112822675A/en
Application granted granted Critical
Publication of CN112822675B publication Critical patent/CN112822675B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

随着5G网络的飞速发展,传统云计算已无法满足边缘设备在计算分析、资源处理等方面的需求。因此,多接入边缘计算MEC(Multi‑Access Edge Computing)被提出。MEC技术具有开放性特点,其方便了各类服务运营商基于用户业务需求进行第三方应用的开发与部署。然而,这也使得存储在该环境下的资源数据不可避免地受到一些安全与隐私威胁。因此为确保MEC内隐私数据的安全性,本发明提出了面向MEC环境的基于OAuth2.0的单点登录机制。该机制(1)实现了面向MEC环境的用户身份认证与授权,通过对用户身份信息的真实性验证以及对该身份访问权限的授权,确保MEC内资源数据的安全性;(2)实现了统一认证,有效减少用户重复的注册流程,提升用户体验,同时降低服务运营商对账户信息的管理成本。

Figure 202110030236

With the rapid development of 5G networks, traditional cloud computing has been unable to meet the needs of edge devices in terms of computing analysis and resource processing. Therefore, Multi-Access Edge Computing (MEC) is proposed. MEC technology has the characteristics of openness, which facilitates the development and deployment of third-party applications by various service operators based on user business requirements. However, this also makes the resource data stored in this environment inevitably subject to some security and privacy threats. Therefore, in order to ensure the security of private data in the MEC, the present invention proposes an OAuth2.0-based single sign-on mechanism oriented to the MEC environment. This mechanism (1) realizes user identity authentication and authorization oriented to the MEC environment, and ensures the security of resource data in MEC by verifying the authenticity of user identity information and authorizing access rights to the identity; (2) achieving a unified Authentication can effectively reduce the repeated registration process of users, improve user experience, and reduce the management cost of account information for service operators.

Figure 202110030236

Description

MEC environment-oriented OAuth 2.0-based single sign-on mechanism
Technical Field
The invention belongs to the field of network space security, and particularly relates to a unified authentication and authorization mechanism.
Background
At present, the rapid development of 5G brings new requirements in the aspects of data transmission bandwidth, time delay, third-party application and service performance, and the like, different from the traditional cloud computing which centralizes the processing of computing capacity, storage capacity and network management, the MEC provides an IT service environment and cloud computing capacity for the edge of a mobile network, partial caching and computing are executed at the edge of the mobile network to reduce the transmission time delay, and finally millisecond-level application can be realized. However, with the continuous introduction of MEC technology, the computing power of the cloud data center is sunk to the edge of the network, which also means that a third-party application service deployed in the MEC environment is exposed in an insecure environment, and user sensitive data existing in the MEC face a great challenge of security and privacy. In addition, due to the requirement of the user for various applications, the repeated registration process is not only unfavorable for the user experience and reduces the service providing efficiency, but also increases the management cost of the MEC system for the user authentication information. Therefore, security of MEC and unified authentication technology for users are increasingly receiving attention.
When the MEC provides various application services, the security of service provision should be ensured first, where authentication management of user identity and third-party application, and privacy protection of user sensitive information are very important security requirements.
Firstly, each user accessing the third-party application service through the MEC system needs to be authenticated, so that the correctness of the declaration information of the user is ensured, and the access right is determined. In addition, in order to ensure the security of the user privacy data, the third-party application is realized to acquire the resource data in the MEC system by using an authorization mode, and the secure sharing of the protected resources is realized on the premise of not exposing the user privacy information.
Secondly, in the MEC system, different MEC hosts may be deployed by multiple vendors, and third party application services existing on the MEC application are diverse, so that the validity of the application needs to be authenticated. Moreover, the user registers different applications for accessing the resource service, and the process is repeated and tedious. Therefore, in order to simplify account information management and improve user experience, the MEC system needs to perform unified authentication on users, and single sign-on is realized.
Based on the above requirements, the identity authentication technology for realizing single sign-on can be divided into the following technologies. They are respectively: the Kerberos protocol utilizes an authorization server to verify the identity of a user and issue a bill to complete user authentication, but is not suitable for key management of massive users at present; the SAML2.0 protocol is suitable for user identity authentication and authorization in a multi-trust domain, and has strong functions, but the protocol is complex; the OpenID protocol realizes single sign-on by requesting a token and accessing the token, has a small application range at present, and is easy to realize by tracking user access by an identity provider; the OAuth2.0 protocol allows a third-party application to apply for acquiring resources from a user resource owner by using an access token, and is widely applied. Therefore, the OAuth2.0 protocol is selected to be used for expansion, and single sign-on facing the MEC environment is realized on the premise of ensuring the application security.
The method aims to verify the authenticity of the identity of a user when the user accesses the resource service in the MEC system, ensure the confidentiality and integrity of sensitive information of the user and realize unified identity authentication and authorization of the user in the MEC environment.
Disclosure of Invention
The invention aims to provide a unified identity authentication and authorization mechanism based on OAuth2.0 for an MEC system, and on the premise of verifying the authenticity and effectiveness of the user identity, the invention realizes that a third party application acquires resource data in an MEC host in a user authorization mode, avoids the leakage of account information and protects the privacy of user data.
The invention also aims to provide a unified identity authentication and authorization mechanism based on OAuth2.0 for the MEC system, realize single sign-on, avoid repeated registration and verification processes when a user accesses the MEC resource service through the trust application, and reduce the maintenance cost of a service provider on the trust application system.
In order to achieve the purpose, the invention adopts the following technical means:
an MEC environment-oriented OAuth 2.0-based single sign-on mechanism, a system model comprises the following entity information:
the system mainly comprises five types of entities, namely an operation Support system OSS (operations Support System), a mobile Edge Platform manager MEPM (Mobile Edge Platform manager), an MEC Host (MEC Host), a third-party application and an LDAP server.
Operation Support system oss (operations Support system): the OSS will check the access request and authorization information of the third party application deployed in the MEC environment. The request data authorized by the OSS authentication is forwarded to the MEPM for processing.
Mobile Edge Platform manager mepm (mobile Edge Platform manager): the MEPM includes functions of creating, terminating, and managing authentication of the MEC application.
MEC Host (MEC Host): the MEC host comprises three parts of a Mobile Edge Platform (MEP), an MEC Application (MEC Application) and a virtualization infrastructure. The MEP provides a running environment for the MEC application; the MEC application is a virtualization application program and is in butt joint with a third party application through an open application programming interface, so that various services are provided for a user; the virtualization infrastructure provides the underlying hardware computation and storage to run multiple MEC applications.
A third party application: the third party service provider designs an application program according to business requirements, and the third party application requests the MEC system to acquire protected resources so as to provide application service for a legal user;
LDAP server: the system is used for sending lightweight directory access protocol requests, processing queries and updating access control lists, and returning user information.
An MEC environment-oriented OAuth 2.0-based single sign-on implementation mechanism comprises the following steps:
third party application registration
In the registration stage, the third party application and the MEC host negotiate a session key, an SSL encryption channel is provided for the subsequent uniform authentication and authorization process of the user, the security of data transmission is ensured, and the following operations are mainly executed:
the certificate authority encrypts information such as an encryption algorithm, a public key, a certificate expiration time and the like of the third-party application client and the MEC host by using a private key of the certificate authority, so as to generate digital certificates which are respectively sent to the client and the MEC host;
the third-party application client selects the SSL version, the encryption algorithm, the MAC algorithm and the like which are supported by the third-party application client, and simultaneously adds a client random number to send the client random number to the MEC host;
the MEC host confirms the supported encryption algorithm and sends the digital certificate containing the information of its own public key, the issuing authority, etc. to the client together with the MEC host random number;
-the client, upon completion of the verification of the authenticity of the digital certificate, generating a string of random number passwords, followed by encrypting the newly generated random number passwords using the MEC host public key and sending to the MEC host;
-the MEC host decrypting the secret using the private key, the client and the MEC host computing the previously generated random numbers and the newly derived secret using a negotiated encryption algorithm, thereby generating a session key, whereby the subsequent communication content is encrypted.
Authentication and authorization
The authentication and authorization stage comprises two parts, namely, the user accesses the resource service in the MEC system through the third-party application for the first time and accesses the MEC system service through the authorization application for the second time.
The authentication part, namely the first login process of the user, executes the following operations:
when a user logs in a third-party application for the first time and provides a resource access request to the MEC system, the third-party application finds that the third-party application is in a non-login state, and then sends an authentication request carrying a user name/password to the OSS;
an OSS deploys an LDAP server for centralized user management and authentication, and the OSS queries an access control list ACL (Access control List) from the LDAP server according to user information;
the OSS checks the user identity by acquiring a user name and a password, and saves the login state after the user identity is successfully verified;
the OSS sends authorization information to the user, and after the user agrees to authorization, the OSS sends parameters such as a third-party application identity identifier App _ id, a redirection address, a response type, an access right, a state random number state, a timestamp and the like to the MEPM;
-the MEPM confirms that the application is a trusted entity, and then sends an authorization code to a third party application, and the authorization code carries a random number and a timestamp parameter;
the third party application sends the authorization code, App _ id, the application own key App _ secret, the random number and the timestamp to the MEPM together to apply for exchanging the access token;
the MEPM encrypts the access token by using App _ secret and returns the access token to the third-party application, and meanwhile, the access token with the access token is used for a subsequent updating process;
the third party application stores the token locally, and then each resource request for the MEC system carries an access token, and the MEPM checks the validity of the token, and returns the user resource data when the token is valid.
The authorization part, namely the second login process of the user, executes the following operations:
-the trusted application will send the access token to the OSS with it when accessing the trusted application, unlike the user that first logged in to the third party application;
the OSS determines whether re-authentication is required by checking the user login status in the database. If the login state of the user is confirmed to be valid, jumping to an MEPM to check the validity of the access token;
after the MEPM confirms that the access token is valid, user information data in the MEC are directly returned;
if the MEPM judges that the access token is invalid, an authorization page is returned to the user, and the user needs to confirm the authorization again but does not need to log in the authentication again;
after the user confirms the authorization, the trusted application sends parameters such as App _ id, a refresh token encrypted by App _ secret, a random number, a timestamp and the like to the MEPM;
-the MEPM updates the access token according to the refresh token and returns;
-the trusted application requesting acquisition of resource data in the MEC host using the new access token.
The invention has the beneficial effects that:
(1) the invention provides a unified authentication and authorization mechanism based on OAuth2.0 for the MEC environment, which ensures the security of the resource data stored in the MEC system;
(2) by implementing the method, single sign-on can be realized, when a user accesses a plurality of third-party services deployed on the MEC application, other trusted applications can be accessed only by authenticating once, and unnecessary repeated registration and authentication processes are reduced;
(3) by implementing the method, the privacy information of the user can be protected, the trust application acquires the resource data in the MEC system in an authorization mode, the transmission of sensitive information such as an account is reduced, and the data leakage is avoided;
(4) the method of the invention simplifies the management of all suppliers to the user account information by adopting a uniform authentication mechanism, and reduces the maintenance cost of the third-party application system.
Drawings
FIG. 1 is a schematic diagram of a system architecture;
FIG. 2 is a schematic diagram of a user first login during a system authentication and authorization phase;
fig. 3 is a schematic diagram of the second login of the user in the authentication and authorization phase of the system.
Detailed Description
The present invention will be described in detail below with reference to the accompanying drawings.
As shown in fig. 1, the single sign-on system of the embodiment of the present invention includes the following entities:
the user terminal is used for accessing the third-party application through the terminal equipment, so that the corresponding service requirements are met;
the third-party application deploys the service provider in the MEC platform through the open interface to provide business service for the user, receive identity information such as an account name and a password of the user and help the user to complete login and authorization operations;
the operation support system OSS checks the access request and the authorization information of the third-party application deployed in the MEC environment, and sends a request for applying the token to the MEPM after the verification is passed;
the LDAP server is used for quickly inquiring user information, acquiring access control authority and helping to complete user identity authentication;
the MEC host is used for providing bottom layer protected resource data and comprises a Mobile Edge Platform (MEP), an MEC application and a virtualization infrastructure, the MEP provides an operating environment for the MEC application, the MEC application is a virtualization application program and is in butt joint with a third party application through an open application programming interface, so that various services are provided for a user, and the virtualization infrastructure provides bottom layer hardware calculation and storage, so that a plurality of MEC applications are operated;
and the MEPM is used for managing the creating, terminating and authenticating processes of the MEC application, verifying the validity of the third-party application, and completing the operations of creating and updating the token and the like.
The single sign-on mechanism of the embodiment of the invention comprises the following steps:
A. performing a registration process for a third-party application which is in butt joint with the MEC application by utilizing MEC platform resources, negotiating a session key between a third-party application client and an MEC host, and establishing an SSL encryption channel;
B. the user completes login operation through the account name and password information, the MEPM generates and returns a token according to the user access authority, and a third-party application is allowed to access resource service in the MEC system;
C. when a user accesses the trust application, the trust application carries an access token, and the MEPM authorizes the trust application to acquire resource data in the MEC by verifying the validity of the token.
In step a, the specific process of constructing the SSL communication channel is as follows:
step 1, a certificate authority encrypts information such as an encryption algorithm, a public key, certificate expiration time and the like of a third-party application client and an MEC host respectively by using a private key of the certificate authority, so that digital certificates are generated and sent to the client and the MEC host respectively;
step 2, the third-party application client selects an SSL version, an encryption algorithm, an MAC algorithm and the like which are supported by the third-party application client, and meanwhile, adds a random number of the third-party application client and sends the random number to the MEC host;
step 3, the MEC host confirms the supported encryption algorithm and sends the digital certificate containing the information of the public key, the issuing organization and the like of the MEC host and the random number of the MEC host to the client;
step 4, the client verifies the reliability of the digital certificate, generates a string of random number passwords after the verification is successful, encrypts the newly generated random number passwords by using the public key of the MEC host, and sends the random number passwords to the MEC host;
and 5, the MEC host decrypts the password by using the private key, and the client and the MEC host calculate the random numbers generated respectively before and the newly obtained password by using a negotiated encryption algorithm so as to generate a session key until the encryption channel is constructed.
Step B is shown in fig. 2, and the embodiment of the present invention specifically describes a single sign-on mechanism by taking a login where a user first accesses a third-party application as an example. The User information corresponding to a certain User comprises a User name User and a Password, and the self information corresponding to a certain application comprises an application identifier App _ id, an application key App _ secret, a redirection address redirect _ uri, a response type response _ type, an authorization range scope, an application state random number state, a timestamp, an authorization code, a credential type grant _ type, an access token _ token, an update token _ token and a token expiration time expires _ in. The method comprises the following specific steps:
step 1, a User logs in a third-party application by using a User name User and a Password, and an authentication request is sent to an OSS (open service system) through the third-party application;
step 2, an LDAP server is deployed on the OSS side, the OSS acquires a user name and a password to check the identity of the user through inquiring the access control list, the login state is saved after the authentication is successful, and the step 3 is executed, otherwise, the login fails;
step 3, the OSS sends authorization information to the user, and after the user agrees to authorization, the OSS sends information parameters carrying third-party application to the MEPM;
step 4, the MEPM verifies that the third-party application is a trusted entity, generates an authorization code according to the information of the user and the third-party application and returns the authorization code, and meanwhile, the MEPM carries a random number and a timestamp parameter to ensure the confidentiality and the integrity of the authorization code;
step 5, the third party application sends the authorization code and the first parameter to the MEPM to apply for exchanging the access token;
step 6, the MEPM encrypts and returns the access token and the refresh token by using the third-party application key;
and 7, the third party applies the local storage token, then each resource request aiming at the MEC system carries an access token, and the MEPM returns the protected data after the authentication token is valid.
Step C is shown in fig. 3, where a user accesses the MEC system service through the trust application, and the specific steps are as follows:
step 1, when a user requests a credit application service, the credit application carries an access token and sends the access token to an OSS;
step 2, the OSS verifies the login state of the user by checking the database, if the login state of the user is confirmed to be valid, the step 3 is executed, otherwise, the login is carried out again;
step 3, the OSS sends the access token to the MEPM, the MEPM directly returns the user information data in the MEC after confirming that the token is valid, otherwise, step 4 is executed;
step 4, the MEPM returns an authorization page to the user, after the user checks the authorization page, the user needs to confirm the authorization again but does not need to log in the authentication again, if the authorization is agreed, the step 5 is executed, otherwise, the authorization fails;
step 5, the credit granting application sends parameters such as the refresh token, self information, random number, timestamp and the like encrypted by the App _ secret to the MEPM;
step 6, the MEPM updates the access token according to the refresh token and returns the access token;
and 7, the trust application requests to acquire the resource data in the MEC host by using the new access token until the authorization process is finished.
It should be noted that the present invention is not limited to the above-mentioned embodiments, the protection scope of the present invention is determined by the appended claims, and the technical solutions and modifications based on the spirit and scope of the present invention should be covered by the claims of the present invention.

Claims (2)

1.面向MEC环境的基于OAuth2.0的单点登录机制主要涉及五类实体,分别是操作支持系统OSS(Operations Support System)、移动边缘平台管理器MEPM(Mobile EdgePlatform Manager)、MEC主机(MEC Host)、第三方应用、LDAP服务器;1. The OAuth2.0-based single sign-on mechanism for the MEC environment mainly involves five types of entities, namely the Operations Support System (OSS), the Mobile Edge Platform Manager (MEPM), and the MEC Host (MEC Host). ), third-party applications, LDAP servers; 操作支持系统OSS(Operations Support System):OSS将检查部署于MEC环境下的第三方应用的访问请求与授权信息, 经过OSS认证授权的请求数据会被转发到MEPM进行处理;OSS (Operations Support System): OSS will check the access request and authorization information of third-party applications deployed in the MEC environment, and the request data that has been authenticated and authorized by OSS will be forwarded to MEPM for processing; 移动边缘平台管理器MEPM(Mobile Edge Platform Manager):MEPM包含MEC应用的创建、终止、认证管理等功能;Mobile Edge Platform Manager MEPM (Mobile Edge Platform Manager): MEPM includes functions such as creation, termination, and authentication management of MEC applications; MEC主机(MEC Host):MEC主机包含有移动边缘平台MEP(Mobile Edge Platform)、MEC应用(MEC Application)、虚拟化基础设施三部分;MEP为MEC应用提供运行环境,MEC应用是虚拟化应用程序,通过开放式应用程序编程接口与第三方应用实现对接,从而为用户提供各类服务,虚拟化基础设施提供底层的硬件计算与存储,从而运行多个MEC应用;MEC Host (MEC Host): The MEC host includes three parts: Mobile Edge Platform (Mobile Edge Platform), MEC Application (MEC Application), and virtualized infrastructure; MEP provides the operating environment for MEC applications, which are virtualized applications , through the open application programming interface to connect with third-party applications, so as to provide users with various services, and the virtualized infrastructure provides the underlying hardware computing and storage to run multiple MEC applications; 第三方应用:第三方服务提供商根据业务需求而设计应用程序,第三方应用通过向MEC系统请求获取受保护资源,进而为合法用户提供应用服务;Third-party applications: third-party service providers design applications according to business needs, and third-party applications obtain protected resources by requesting the MEC system, and then provide application services for legitimate users; LDAP服务器:用于发送轻量级目录访问协议请求,处理查询和更新访问控制列表,并返回用户信息;LDAP server: used to send Lightweight Directory Access Protocol requests, process queries and update access control lists, and return user information; 在上述MEC环境下实现一种基于OAuth2.0的单点登录机制主要涉及有以下步骤:Implementing a single sign-on mechanism based on OAuth2.0 in the above MEC environment mainly involves the following steps: -用户首次登录第三方应用向MEC系统提出资源访问请求时,第三方应用发现其未登录状态,之后发送携带有用户名/密码的认证请求到OSS;- When a user logs in to a third-party application for the first time and makes a resource access request to the MEC system, the third-party application finds that the user is not logged in, and then sends an authentication request with a username/password to the OSS; -OSS会部署一个LDAP服务器用于集中式的用户管理、认证,OSS根据用户信息从LDAP服务器中查询访问控制列表ACL(AccessControlList),通过获取用户名口令查验用户身份,验证成功后保存登录状态;-OSS will deploy an LDAP server for centralized user management and authentication. OSS queries the ACL (Access Control List) from the LDAP server based on user information, verifies the user's identity by obtaining the username and password, and saves the login status after successful authentication; -OSS发送授权信息给用户,用户同意授权后,OSS将携带有第三方应用身份信息的参数发送给MEPM;-OSS sends authorization information to the user. After the user agrees to the authorization, OSS sends the parameters carrying the identity information of the third-party application to MEPM; -MEPM确认第三方应用为受信任实体,之后发送授权码给第三方应用,并携带有随机数、时间戳参数;-MEPM confirms that the third-party application is a trusted entity, and then sends the authorization code to the third-party application, which carries the random number and timestamp parameters; -第三方应用将授权码与自身信息参数一并发送到MEPM,申请换取访问令牌;- The third-party application sends the authorization code and its own information parameters to MEPM to apply for an access token; -MEPM对访问令牌进行加密并返回给第三方应用,同时还将携带有刷新令牌用于后续更新过程;-MEPM encrypts the access token and returns it to the third-party application, and also carries the refresh token for the subsequent update process; -第三方应用本地存储令牌,之后针对MEC系统的每一次资源请求都会携带访问令牌,MEPM查验令牌的有效性,有效即返回用户资源数据;- The third-party application stores the token locally, and each resource request to the MEC system will carry the access token. MEPM checks the validity of the token, and returns the user resource data if it is valid; -用户在访问其他授信应用时,授信应用将携带访问令牌发送到OSS;- When the user accesses other credit applications, the credit application will send the access token to OSS; -OSS通过查验数据库中用户登录状态,以确定是否需要重新身份验证, 如果用户的登录状态确认为有效,跳转至MEPM检验访问令牌的有效性;-OSS checks the user's login status in the database to determine whether re-authentication is required. If the user's login status is confirmed to be valid, it jumps to MEPM to verify the validity of the access token; -MEPM确认访问令牌有效后,直接返回MEC内用户信息数据完成授信应用的登录过程。- After MEPM confirms that the access token is valid, it directly returns the user information data in the MEC to complete the login process of the credit application. 2.如权利要求1所述的五类实体,其特征在于,在MEC环境下实现一种基于OAuth2.0的单点登录机制,包括以下步骤:2. five types of entities as claimed in claim 1, is characterized in that, realizes a kind of single sign-on mechanism based on OAuth2.0 under MEC environment, comprises the following steps: ·第三方应用注册·Third-party app registration 在注册阶段,第三方应用与MEC主机协商会话密钥,为之后对用户进行统一认证与授权过程提供SSL加密信道,保证数据传输的安全性,它主要执行下列操作:In the registration phase, the third-party application negotiates the session key with the MEC host, and provides an SSL encrypted channel for the unified authentication and authorization process for users to ensure the security of data transmission. It mainly performs the following operations: -证书颁发机构利用自身私钥对第三方应用客户端与MEC主机二者的加密算法、公钥、证书到期时间等信息进行各自加密,从而生成数字证书分别发送给客户端和MEC主机;-The certificate authority uses its own private key to encrypt the encryption algorithm, public key, certificate expiration time and other information of the third-party application client and the MEC host, so as to generate a digital certificate and send it to the client and the MEC host respectively; -第三方应用客户端将选择自身支持的SSL版本、加密算法、MAC算法等,同时附加一个客户端随机数发送给MEC主机;-The third-party application client will select the SSL version, encryption algorithm, MAC algorithm, etc. that it supports, and attach a client random number to send to the MEC host; -MEC主机确认支持的加密算法,并将包含自身公钥、颁发机构等信息的数字证书与MEC主机随机数一同发送给客户端;-The MEC host confirms the supported encryption algorithms, and sends the digital certificate containing its own public key, issuing authority and other information to the client together with the MEC host random number; -客户端在完成针对数字证书可靠性的检验后,生成一串随机数密码,之后使用MEC主机公钥加密新生成的随机数密码,并发送给MEC主机;- After the client completes the verification of the reliability of the digital certificate, it generates a string of random number passwords, and then uses the MEC host public key to encrypt the newly generated random number password and sends it to the MEC host; -MEC主机利用私钥解密出密码,客户端与MEC主机利用协商的加密算法对之前各自生成的随机数与新得到的密码进行计算,从而生成会话密钥,以此来加密之后的通信内容;-The MEC host uses the private key to decrypt the password, and the client and the MEC host use the negotiated encryption algorithm to calculate the previously generated random number and the newly obtained password, thereby generating the session key, so as to encrypt the communication content afterward; ·认证与授权·Authentication and authorization 认证与授权阶段包含两部分,分别为用户首次通过第三方应用访问MEC系统内的资源服务,以及用户第二次通过授信应用访问MEC系统服务;The authentication and authorization phase consists of two parts, which are the first time the user accesses the resource services in the MEC system through a third-party application, and the second time the user accesses the MEC system service through a credit application; 认证部分,即用户首次登录过程执行下列操作:The authentication part, where the user logs in for the first time, does the following: -用户首次登录第三方应用向MEC系统提出资源访问请求时,第三方应用发现其未登录状态,之后发送携带有用户名/密码的认证请求到OSS;- When a user logs in to a third-party application for the first time and makes a resource access request to the MEC system, the third-party application finds that the user is not logged in, and then sends an authentication request with a username/password to the OSS; -OSS会部署一个LDAP服务器用于集中式的用户管理、认证,OSS根据用户信息从LDAP服务器中查询访问控制列表ACL(AccessControlList),通过获取用户名口令查验用户身份,验证成功后保存登录状态;-OSS will deploy an LDAP server for centralized user management and authentication. OSS queries the ACL (Access Control List) from the LDAP server according to user information, and verifies the user's identity by obtaining the user name and password, and saves the login status after successful authentication; -OSS发送授权信息给用户,用户同意授权后,OSS将携带有第三方应用身份标识App_id、重定向地址、响应类型、访问权限、状态随机数state、时间戳等参数发送给MEPM;-OSS sends the authorization information to the user. After the user agrees to the authorization, the OSS sends the MEPM with parameters such as the third-party application identity identifier App_id, redirection address, response type, access authority, state random number state, and timestamp; -MEPM确认第三方应用为受信任实体,之后发送授权码给第三方应用,并携带有随机数、时间戳参数;-MEPM confirms that the third-party application is a trusted entity, and then sends the authorization code to the third-party application, which carries the random number and timestamp parameters; -第三方应用将授权码、App_id、应用自身密钥App_secret、随机数、时间戳一并发送到MEPM,申请换取访问令牌;-The third-party application sends the authorization code, App_id, App_secret, random number, and timestamp to MEPM together to apply for an access token; -MEPM利用App_secret对访问令牌进行加密并返回给第三方应用,同时还将携带有刷新令牌用于后续更新过程;-MEPM encrypts the access token with App_secret and returns it to the third-party application, and also carries the refresh token for subsequent update process; -第三方应用本地存储令牌,之后针对MEC系统的每一次资源请求都会携带访问令牌,MEPM查验令牌的有效性,有效即返回用户资源数据;- The third-party application stores the token locally, and each resource request to the MEC system will carry the access token. MEPM checks the validity of the token, and returns the user resource data if it is valid; 授权部分,即用户第二次登录过程执行下列操作:The authorization part, the user's second login process, does the following: -与首次登录第三方应用的用户不同,用户在访问授信应用时,授信应用将携带访问令牌发送到OSS;- Different from users who log in to third-party applications for the first time, when users access the credit application, the credit application will send the access token to OSS; -OSS通过查验数据库中用户登录状态,以确定是否需要重新身份验证, 如果用户的登录状态确认为有效,跳转至MEPM检验访问令牌的有效性;-OSS checks the user's login status in the database to determine whether re-authentication is required. If the user's login status is confirmed to be valid, it jumps to MEPM to verify the validity of the access token; -MEPM确认访问令牌有效后,直接返回MEC内用户信息数据;- After MEPM confirms that the access token is valid, it directly returns the user information data in the MEC; -若MEPM判断访问令牌失效,则会返回授权页面给用户,用户需要重新确认授权但无需再次登录认证;- If MEPM determines that the access token is invalid, it will return the authorization page to the user, and the user needs to re-confirm the authorization but does not need to log in again for authentication; -用户确认授权后,授信应用发送App_id、由App_secret加密后的刷新令牌、随机数、时间戳等参数到MEPM;- After the user confirms the authorization, the trusted application sends the App_id, the refresh token encrypted by the App_secret, the random number, the timestamp and other parameters to the MEPM; -MEPM根据刷新令牌更新访问令牌并返回;- MEPM updates the access token based on the refresh token and returns; -授信应用利用新的访问令牌请求获取MEC主机中的资源数据。- The trusted application uses the new access token to request resource data in the MEC host.
CN202110030236.XA 2021-01-11 2021-01-11 MEC environment-oriented OAuth 2.0-based single sign-on mechanism Expired - Fee Related CN112822675B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110030236.XA CN112822675B (en) 2021-01-11 2021-01-11 MEC environment-oriented OAuth 2.0-based single sign-on mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110030236.XA CN112822675B (en) 2021-01-11 2021-01-11 MEC environment-oriented OAuth 2.0-based single sign-on mechanism

Publications (2)

Publication Number Publication Date
CN112822675A CN112822675A (en) 2021-05-18
CN112822675B true CN112822675B (en) 2021-11-23

Family

ID=75868695

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110030236.XA Expired - Fee Related CN112822675B (en) 2021-01-11 2021-01-11 MEC environment-oriented OAuth 2.0-based single sign-on mechanism

Country Status (1)

Country Link
CN (1) CN112822675B (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115529143B (en) * 2021-06-24 2025-04-25 中移(成都)信息通信科技有限公司 Communication method, device, related equipment and storage medium
CN115529144B (en) * 2021-06-24 2024-06-18 中移(成都)信息通信科技有限公司 Communication system, method, apparatus, first device, second device, and storage medium
CN113949566B (en) * 2021-10-15 2024-06-11 工银科技有限公司 Resource access method, device, electronic equipment and medium
CN114040404B (en) * 2021-11-08 2024-06-07 中国电信股份有限公司 Data distribution method, system, equipment and storage medium
CN114065282B (en) * 2021-11-15 2025-05-23 国网江苏省电力有限公司营销服务中心 Data security sharing method and system in untrusted environment
CN114357422A (en) * 2021-12-07 2022-04-15 苏州瀚码智能技术有限公司 Platform integration login and management based implementation method
CN114650142B (en) * 2022-02-25 2024-01-30 深圳市梦网科技发展有限公司 5G message identity authentication method, system and computer readable storage medium
CN114760138B (en) * 2022-04-20 2024-02-13 深圳市昊洋智能有限公司 Video conference system safety method and device based on cloud architecture
CN114884718B (en) * 2022-04-28 2023-08-22 广东电网有限责任公司 Data processing method, device, equipment and storage medium
CN115118454B (en) * 2022-05-25 2023-06-30 四川中电启明星信息技术有限公司 Cascade authentication system and authentication method based on mobile application
CN114978741B (en) * 2022-06-07 2024-03-19 中国电信股份有限公司 Inter-system authentication method and system
CN115051809A (en) * 2022-06-15 2022-09-13 道和邦(广州)电子信息科技有限公司 SMG-wscomm-Msession-ECToken dynamic token technology based on encrypted CookieToken login-free authentication
CN115314217B (en) * 2022-07-21 2025-01-03 中国铁道科学研究院集团有限公司电子计算技术研究所 Cross-multi-access edge computing system login method and device
CN116055151A (en) * 2022-12-31 2023-05-02 鼎道智联(北京)科技有限公司 Service authority token acquisition method, system, electronic device and storage medium
CN116633636A (en) * 2023-05-29 2023-08-22 三峡高科信息技术有限责任公司 Hierarchical access control method in enterprise information system
CN118890223B (en) * 2024-09-29 2025-02-07 广州尚航信息科技股份有限公司 A single sign-on method and single point management device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109063461A (en) * 2018-09-26 2018-12-21 郑州云海信息技术有限公司 A kind of third party exempts from close login method and system
CN110995450A (en) * 2020-02-27 2020-04-10 中科星图股份有限公司 Authentication and authorization method and system based on Kubernetes
CN111345006A (en) * 2017-11-14 2020-06-26 微软技术许可有限责任公司 double binding
CN111385100A (en) * 2018-12-27 2020-07-07 柯尼卡美能达美国研究所有限公司 Method, computer readable medium and mobile device for accessing resources
CN111512579A (en) * 2018-03-30 2020-08-07 英特尔公司 Multiple access management service packet recovery mechanism
CN111656754A (en) * 2018-07-13 2020-09-11 三星电子株式会社 Method and electronic device for edge computing service

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3804458A4 (en) * 2018-06-06 2022-03-09 INTEL Corporation Vehicle-to-everything session and service continuity in automotive edge computing systems
US11689521B2 (en) * 2018-06-22 2023-06-27 Verizon Patent And Licensing Inc. Native single sign-on (SSO) for mobile applications
CN109358967B (en) * 2018-09-26 2021-01-05 中国联合网络通信集团有限公司 ME platform APP instantiation migration method and server

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111345006A (en) * 2017-11-14 2020-06-26 微软技术许可有限责任公司 double binding
CN111512579A (en) * 2018-03-30 2020-08-07 英特尔公司 Multiple access management service packet recovery mechanism
CN111656754A (en) * 2018-07-13 2020-09-11 三星电子株式会社 Method and electronic device for edge computing service
CN109063461A (en) * 2018-09-26 2018-12-21 郑州云海信息技术有限公司 A kind of third party exempts from close login method and system
CN111385100A (en) * 2018-12-27 2020-07-07 柯尼卡美能达美国研究所有限公司 Method, computer readable medium and mobile device for accessing resources
CN110995450A (en) * 2020-02-27 2020-04-10 中科星图股份有限公司 Authentication and authorization method and system based on Kubernetes

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于OpenID Connect的工业互联网平台认证与授权方案;纪健全 等;《网络空间安全》;20200731;第11卷(第7期);全文 *

Also Published As

Publication number Publication date
CN112822675A (en) 2021-05-18

Similar Documents

Publication Publication Date Title
CN112822675B (en) MEC environment-oriented OAuth 2.0-based single sign-on mechanism
JP7227919B2 (en) Internet of Things (IOT) device management
US9225525B2 (en) Identity management certificate operations
US8898457B2 (en) Automatically generating a certificate operation request
US8549300B1 (en) Virtual single sign-on for certificate-protected resources
US10122703B2 (en) Federated full domain logon
JP5599910B2 (en) Authentication delegation based on re-verification of cryptographic evidence
US7844816B2 (en) Relying party trust anchor based public key technology framework
CN102111410B (en) Agent-based single sign on (SSO) method and system
US7366900B2 (en) Platform-neutral system and method for providing secure remote operations over an insecure computer network
CN102638454B (en) A plug-in single sign-on integration method for HTTP authentication protocol
CN109981561A (en) Monomer architecture system moves to the user authen method of micro services framework
CN102201915B (en) A terminal authentication method and device based on single sign-on
CN101567878B (en) The Method of Improving the Security of Network Identity Authentication
WO2018219056A1 (en) Authentication method, device, system and storage medium
KR20140127303A (en) Multi-factor certificate authority
US11100209B2 (en) Web client authentication and authorization
Bazaz et al. A review on single sign on enabling technologies and protocols
CN102223420A (en) Digital content distribution method for multimedia social network
Togan et al. A smart-phone based privacy-preserving security framework for IoT devices
CN116886352A (en) Authentication and authorization method and system for digital intelligent products
CN115150831B (en) Method, device, server and medium for processing network access request
WO2006058493A1 (en) A method and system for realizing the domain authentication and network authority authentication
JP4499575B2 (en) Network security method and network security system
CN111682941B (en) Centralized identity management, distributed authentication and authorization method based on cryptography

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20211123